Automakers stumped: Report says hackers can hijack almost any car

Almost all automobiles sold today contain systems that can potentially be compromised by hackers, a United States Senator warns, but automakers appear largely unaware of the implications, according to his report.

Sen. Ed Markey
(D-Massachusetts) is calling on the world’s automobile makers to
implement mandatory safeguards after his congressional inquiry
revealed a widespread absence of security and privacy protection
with regards to cars currently being sold around the
world.

Security that could curb hacking against automobiles or allow
sensitive information to be compromised must be put in place by
the auto industry, Markey’s office warns in the report published Monday, and current
protection, when it’s brought to bear, is largely inconsistent.

The report warns modern automobiles are increasingly collecting
sensitive information about personal driving habits and history,
which is often held indefinitely and then offered to
third-parties, in turn allowing companies the ability to keep
detailed information about not just car performance, but also
where a driver has traveled.

“Drivers have come to rely on these new technologies, but
unfortunately the automakers haven’t done their part to protect
us from cyber-attacks or privacy invasions. Even as we are more
connected than ever in our cars and trucks, our technology
systems and data security remain largely unprotected,” Sen.
Markey, a member of the Commerce, Science and Transportation
Committee, said in a statement on Monday. “We need to work
with the industry and cyber-security experts to establish clear
rules of the road to ensure the safety and privacy of
21st-century American drivers.”

Markey’s team considered studies by the Pentagon’s Defense
Advanced Research Projects Agency (DARPA) in 2013 and 2014 in
preparing the report, and sent questionnaires to 20 automakers
inquiring about each manufacturer’s technology, security
precautions and privacy policies.

Only 16 of the automakers responded, according to this week’s
report, but their answers were enough to leave Sen. Markey’s
office issuing a plea for car companies to increase security
measures concerning the cars’ increasingly advanced technologies
and privacy protections for the data it records.

“These findings reveal that there is a clear lack of
appropriate security measures to protect drivers against hackers
who may be able to take control of a vehicle, or against those
who may wish to collect and use personal driver
information,” a portion of the report reads.

According to Sen. Markey’s office, the answers supplied by
automakers suggested that nearly 100 percent of cars currently on
sale include wireless technology that pose hacking
vulnerabilities or privacy intrusions, yet most manufacturers
were unaware of previous incidents in which critical components
of certain cars were completely compromised by malicious hackers.

“Only two automobile manufacturers were able to describe any
capabilities to diagnose or meaningfully respond to an
infiltration in real-time, and most say they rely on technologies
that cannot be used for this purpose at all,” the report
found.

"Look how many of the last year's recalls related to electronic
issues ... it's not going to be that far along — whole
generations of vehicles — that could be vulnerable ... it's not
sci-fi," Sean Kane, president of the Massachusetts-based Safety
Research and Strategies, told The Detroit News.

Even the latest models available for sale, Kane told the paper,
use imperfect technology that can be exploited and become a
"wide open door" to hackers.

Additionally, the ever-increasing collection of car data raised
concerns in the senator’s office. Half of all cars sold today
transmit and store data off-board, the report found, yet largely
absent are safeguards or sound privacy practices to keep that
information from ending up in unintended hands.

“Customers are often not explicitly made aware of data
collection and, when they are, they often cannot opt out without
disabling valuable features, such as navigation,” his office
determined.

If data collection is not disabled, the report warns, third-party
companies can obtain that information and potentially use it for
any reason of their choosing.

Two major automobile coalitions, the Alliance of Automobile
Manufacturers and the Association of Global Automakers, recently
adopted voluntary privacy principles in order to keep sensitive
information from wrongly being used. According to the report,
though, this effort “provides little tangible assurances that
consumers will not disapprove of the ways in which manufacturers
use their sensitive information.”

Gordon Trowbridge, a spokesperson for the National Highway
Traffic Safety Administration, told Detroit News that regulators
will consider recommendations for enhanced protections as they
remain "engaged in an intensive effort to determine potential
security vulnerabilities related to new technologies."